IoT and behavioural authentication

Access & Identity Management Handbook 2020 Access Control & Identity Management

IoT represents an increasing security risk to compromise your most personal security credentials.

Security begins at home and it begins with you, the individual. IoT represents an increasing security risk to individuals in the form of pervasive, always-on monitoring of your personal activity with a potential compromise of your most personal security credentials.

Consider the four factors of authentication. First and foremost is something you know – a password for example. The second is something you have, such as an access card, key fob or hardware-based token generator. Third is something you are, such as your iris pattern or fingerprint – both are typical biometrics. The fourth factor of authentication is something you do – the way you walk, breathe, speak or any other manner of activity which has a recognisable and unique pattern over time. This latter is called behavioural authentication and while this factor is often tied into general biometrics, it is distinctly different.

It’s not unimaginable at this point that your fourth factor of authentication can be reconstructed from data gathered by IoT devices. Think about how Internet-connected shoes can learn intimate details of their wearer’s gait; or the smartwatch that learns the specific timing of its wearer’s heartbeat. Then there is the speaker-based home assistant that learns the pitch and timbre of the home occupants’ voices.

Post quantum security

The first two factors of authentication rely on a number, key or phrase that is susceptible to brute force attacks to crack the credential. While still a long way off, the immense power of quantum computing will undermine the security of the first two factors of authentication. The advent of quantum computing will mean that technology manufacturers will come to increasingly rely on the third and fourth authentication factors.

When the encryption mechanisms behind passwords and OTPs become insecure, you will certainly find yourself logging into your Internet banking with a passphrase spoken into your microphone. Your typing style, based on flight, sequence and pressure, will become your ongoing signature. These voice and keyboard behaviours are just two patterns that are in use today and will become increasingly important.

Just like you would not be careless with your house keys, it’s important to know the value your habits will one day have. In a situation where the data collected by IoT devices compromises users’ habits, those people would lose the ability to secure their devices and their logins.

For example the first known financial scam using synthesised voice was reported in September 2019[1] when scammers replicated a CEO’s voice to authorise payments totalling R3,6 million from a company. This was done using deep fake (a technique for human image synthesis based on artificial intelligence)-derived AI and various voice recordings of the victim.

Commitment to privacy

There have been some positive developments in the privacy space, following increased scrutiny from legislators in the form of GDPR/PoPIA and general public awareness around exploitation of personal data. The various social media data abuse scandals over the years are also turning public sentiment. People are becoming more aware and protective of their personal data which will extend to behavioural data as well.

Manufacturers of IoT devices are also showing encouraging signs, for example Amazon has added auto delete features to its Alexa range after previously admitting that audio recordings are stored indefinitely[2]. Moreover, Apple changed its policy to no longer retain audio recordings by default. It’s worth taking into serious consideration the fact that Google’s chief of devices and services recommended that one should disclose if one’s home has smart-home devices installed before issuing invitations to guests[3].

As IoT devices proliferate, vendors must commit to transparency about what data they collect and how they use it. A firm legislative effort to curb needless collection of data, especially around sensitive activity and habit patterns, will go a long way to securing the market for a post-password authentication world. Until then, buyers of IoT devices need to read the fine print and make sure they know what behavioural data is being collected and how it is used.


Gregory Dellas

[1] https://threatpost.com/deep-fake-of-ceos-voice-swindles-company-out-of-243k/147982/

[2] https://www.theverge.com/2019/7/3/20681423/amazon-alexa-echo-chris-coons-data-transcripts-recording-privacy

[3] https://www.bbc.com/news/technology-50048144




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Smart intercoms are transforming access control
Access Control & Identity Management Products & Solutions
Smart intercoms have emerged as a pivotal tool in modern access control. They provide a seamless and secure way to manage entry points without the need for traditional security guards to validate visitors before granting them access.

Read more...
Easy, secure access for student apartments
Paxton Access Control & Identity Management Surveillance
Enhancing Security and Convenience at Beau Vie II Student Accommodation, a student apartment block located at Banghoek Road, Stellenbosch, with Paxton's access control and video management solution

Read more...
Invixium acquires Triax Technologies
News & Events Access Control & Identity Management
Invixium has announced it has acquired Triax Technologies to expand its biometric solutions with AI-based RTLS (Real-Time Location Systems) offering for improved safety and productivity at industrial sites and critical infrastructure.

Read more...
ControliD's iDFace receives ICASA certification
Impro Technologies News & Events Access Control & Identity Management
The introduction of Control iD's iDFace facial biometric reader, backed by mandatory ICASA certification, underscores the commitment to quality, compliance, and innovation.

Read more...
The future of workplace access
HID Global Access Control & Identity Management
Mobile credentials are considerably more secure than physical access control, because they eliminate the need for physical cards or badges, support multiple security protocols, and add layers of protection on top of basic card encryption.

Read more...
Integrated, mobile access control
SA Technologies Entry Pro Technews Publishing Access Control & Identity Management
SMART Security Solutions spoke to SA Technologies to learn more about what is happening in the estate access world and what the company offers the residential estate market.

Read more...
Bespoke access for prime office space
Paxton Access Control & Identity Management Residential Estate (Industry)
Nicol Corner is home to a six-star fitness club, prime office space, and an award-winning rooftop restaurant. It is also the first building in South Africa to have its glass façade fully incorporate fritted glazing, saving 35% on energy consumption.

Read more...
Next-generation facial recognition access control system
Enkulu Technologies Products & Solutions Access Control & Identity Management Residential Estate (Industry)
With a modern and innovative design, iDFace is the ideal device for monitoring and controlling people entering and exiting a building using facial recognition technology, including liveness detection, for enhanced security.

Read more...
Long-distance vehicle identification
STid Security Products & Solutions Access Control & Identity Management Residential Estate (Industry)
The STid SPECTRE reader can identify vehicles up to 14 metres away, across four traffic lanes, ensuring secure access to an estate without disrupting the traffic flow.

Read more...